[Freeipa-users] ipa fails to start after centos 7.3 upgrade

Fri Dec 16 10:51:57 UTC 2016

2016-12-15 13:47 GMT+01:00 Petr Vobornik <pvoborni at redhat.com>:

> On 12/12/2016 08:53 PM, Rob Verduijn wrote:
> > Hello,
> >
> > I've recently upgraded to centos 7.3.
> > Didn't intend to so soon but should have checked the anounce lists before
> > launching my ansible update playbook.
> >
> > Most of my servers came through, and mostly also the ipa server.
> > There were duplicate rpms and a failed rpm upgrade.
> > After some yum magic the rpm duplicates where gone and all the updates
> installed.
> >
> > Manually running ipa-server-upgrade also seems to finish properly.
> >
> > However
> > ipactl start keeps failing on the ntpd service.
> > Not a big surprise since its running chronyd.
> >
> > I now start the ipa server with 'ipactl start --ignore-service-failure'
> >
> > Is there a way to explain the script that it should check for chronyd
> instead of
> > ntpd ?
> >
> > I also see this a lot in the logs:
> > dns_rdatatype_fromtext() failed for attribute
> > 'idnsTemplateAttribute;cnamerecord': unknown class/type
> >
> > Is that a serious error ?
> >
> > Rob Verduijn
> >
>
> This looks like 7.3 update incorrectly added NTP service to IPA server
> services (which is displayed as NTP role in `ipa server-show $server`).
>
> A workaround might be to disable the service or remove the service
> entry. Disabling is IMHO safer.  IPA CLI tools don't allow
> enabling/disabling of services so it must be done by LDAP mod.
>
> It can be done by removing  'enabledService' config value from server's
> service entry, e.g.:
>
> dn: cn=NTP,cn=$SERVER_FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
> changetype: modify
> delete: ipaConfigString
> ipaConfigString: enabledService
> -
>
> Where $SERVER_FQDN is e.g. ipa.example.com and $SUFFIX is e.g.
> dc=example,dc=com
>
>
> Rob, have you originally installed the replica with NTPD and then later
> switched manually to chrony?
>
> --
> Petr Vobornik
>

Hello,

I can't remember if I installed and configured freeipa and then switched to
chronyd or the other way around.

I had my ntpd/ntpdate services masked because I got tired of stopping and
disabling them all the time.
It seems ipactl can't deal with that.

Currently I unmasked the services and enabled them (disabling chronyd) so
that the server boots properly.

I will try your ldiff to see if I can switch back, since I do not use my
ipa server as a time source for clients.

I'll let you know the results.

Rob Verduijn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161216/e3f8bcb0/attachment.htm>